The Grinex cyberattack has once again drawn attention to the vulnerabilities facing the global Crypto exchange ecosystem. In a cyberattack on Grinex, the Kyrgyzstan-based platform was forced to suspend all trading operations after hackers executed a large-scale wallet breach, stealing more than $15 million in USDT.  

The cyberattack on Grinex unfolded when attackers infiltrated the exchange wallet infrastructure, extracting over 1 billion rubles, equivalent to roughly $13–15 million in USDT.  

Response to the Grinex Cyberattack 

In response, Grinex halted all trading activities, including withdrawals, effectively locking users out of their accounts while the platform assessed the damage. The company described the wallet breach as a “highly coordinated” operation carried out by skilled threat actors equipped with advanced tools and resources.  

While Grinex suggested the possibility of foreign intelligence involvement, claiming the attack may have been intended to undermine Russia’s financial independence, no concrete evidence has been presented to support this assertion. Investigations into the Grinex cyberattack are ongoing, and the source of the breach remains unidentified. 

Stolen Funds Rapidly Moved Across Blockchains 

Following the wallet breach, the attackers wasted no time in attempting to obscure the trail of stolen assets. According to blockchain analytics firm Elliptic, the hackers quickly distributed the funds across multiple wallets and blockchain networks, including Ethereum and Tron. 

This tactic, commonly observed in major Crypto exchange hacks, is designed to slow down tracking efforts by law enforcement. The attackers also converted USDT into other digital assets such as TRX and ETH. This step was likely taken because Tether, the issuer of USDT, has the authority to freeze tokens linked to illicit activity. 

Eventually, the stolen funds were consolidated into a primary wallet containing approximately 45.9 million TRX, valued at around $15 million. This consolidation phase typically signals that attackers are deciding whether to hold, redistribute, or liquidate the assets, as reported by MEXC.  

The Grinex cyberattack follows well-documented cybercrime patterns, including “chain-hopping” (moving funds across multiple blockchains) and “layering” (spreading funds across numerous wallets). These methods exploit the decentralized nature of blockchain systems, where the absence of a central authority allows funds to move with limited immediate intervention. 

Broader Risks for Crypto Exchanges 

The cyberattack on Grinex is part of a new trend affecting the Crypto exchange industry throughout 2025 and 2026. Security researchers have repeatedly identified hot wallet vulnerabilities and compromised transaction-signing processes as the most common entry points for attackers. 

Grinex itself acknowledged facing ongoing operational challenges, including sanctions pressure, transaction restrictions, and prior minor cyber incidents. The company stated that these pressures have required aggressive defensive measures. 

In the aftermath of the wallet breach, Grinex filed a criminal complaint and shared all available data with law enforcement agencies to aid in tracking the stolen funds.  

Links to Sanctioned Ecosystems Raise Stakes 

Grinex is widely regarded as a successor to Garantex, a major Crypto exchange that ceased operations in 2025 following sanctions from the United States, European Union, and United Kingdom over alleged money laundering activities. After Garantex shut down, a large portion of its user base and liquidity migrated to platforms like Grinex. 

This transition positioned Grinex as a key trading hub for ruble-based crypto transactions. It also became central to the use of stablecoins such as A7A5, a ruble-backed token tied to deposits held by sanctioned institutions. Operating across blockchains like Ethereum and Tron, A7A5 enables large-scale, cross-border transactions. 

However, it is noted that a relatively small number of wallets control a large share of these transactions, concentrating activity among a limited group of participants. Such structures can facilitate sanction evasion, making platforms like Grinex both strategically important and highly attractive targets for cybercriminals.